⚡ Key Takeaways

DarkSword is a full-chain iOS exploit kit that chains six vulnerabilities — three zero-days — in WebKit, dyld, and the kernel to achieve complete iPhone compromise from a single website visit. Google Threat Intelligence confirmed at least three threat groups using it, including Turkish surveillance vendor PARS Defense and a suspected Russian espionage unit, targeting users in Turkey, Malaysia, Saudi Arabia, and Ukraine. Apple expanded patches to iOS 18.7.7 on April 1, 2026.

Bottom Line: Every organization managing iPhone fleets should immediately verify all devices are running iOS 18.7.7 or iOS 26.3 minimum, as DarkSword can fully compromise any unpatched device through a single website visit with no user interaction required.

Read Full Analysis ↓

Advertisement

🧭 Decision Radar (Algeria Lens)

Relevance for Algeria
High
iPhone adoption in Algeria is significant, and with 70 million annual cyberattacks, mobile exploitation is a real threat. The DarkSword targeting pattern across MENA countries including Saudi Arabia makes North African exposure plausible.
Infrastructure Ready?
Partial
Algeria has no national CERT with mobile exploit detection capability. MDM solutions are available through international vendors but adoption in government and enterprises is uneven.
Skills Available?
Partial
Algeria’s growing cybersecurity workforce can implement patching policies and MDM enforcement. Exploit chain analysis requires advanced skills the new National School of Cybersecurity aims to develop.
Action Timeline
Immediate
DarkSword is actively exploited and patches are available now. Every organization managing iPhone fleets should verify devices are running iOS 18.7.7 or iOS 26.3 minimum.
Key Stakeholders
Enterprise IT security teams, government CISOs, mobile fleet managers, telecom operators
Decision Type
Tactical
This requires immediate operational response — patching, MDM policy enforcement, and mobile threat defense evaluation — rather than long-term strategic planning.

Quick Take: Every organization in Algeria managing iPhone fleets should verify devices are running iOS 18.7.7 or iOS 26.3 minimum immediately. The DarkSword exploit chain demonstrates that a single website visit can compromise an unpatched iPhone completely. Algerian enterprises should enforce MDM policies mandating current OS versions and evaluate mobile threat defense solutions for high-risk personnel.

A Website Visit Is All It Takes

A routine website visit. That is all it takes. The DarkSword exploit kit chains together six vulnerabilities spanning WebKit, Safari, the dynamic loader, and the iOS kernel to achieve full device compromise from a single browser interaction. No clicks required beyond the initial page load. No user interaction after landing on a compromised website.

The exploit chain, publicly documented in March 2026 by Google’s Threat Intelligence Group alongside iVerify and Lookout, forced Apple into a rare emergency patch cycle, ultimately expanding fixes to iOS 18.7.7 on April 1, 2026. Google confirmed the kit had been adopted by multiple threat actors, including a Turkish commercial surveillance vendor, a threat group designated UNC6748, and a suspected Russian espionage group tracked as UNC6353.

The Six Vulnerabilities

DarkSword’s power comes from chaining six distinct vulnerabilities into a seamless attack path. Three are zero-days.

CVE-2025-31277 — JavaScriptCore Memory Corruption. The entry point. A memory corruption flaw in JavaScriptCore, the JavaScript engine underlying all WebKit-based browsers on iOS. Visiting a malicious webpage triggers initial code execution within the browser sandbox.

CVE-2025-43529 — JavaScriptCore Memory Corruption. A second JavaScriptCore flaw used to stabilize the exploit and achieve reliable code execution. Two separate JavaScriptCore bugs suggest the developers had deep knowledge of WebKit internals.

CVE-2025-14174 — ANGLE Memory Corruption. A flaw in ANGLE (Almost Native Graphics Layer Engine), the graphics abstraction layer used by WebKit for GPU-accelerated rendering, providing a pathway to lower-level system components.

CVE-2026-20700 — dyld PAC Bypass. The critical pivot. This vulnerability in dyld, the iOS dynamic loader, bypasses Apple’s Pointer Authentication Codes — hardware-level security introduced with the A12 chip in 2018 specifically to prevent exploit chains like DarkSword.

CVE-2025-43510 — iOS Kernel Memory Management. A kernel flaw enabling privilege escalation from user space to kernel space.

CVE-2025-43520 — iOS Kernel Memory Corruption. The final link achieving persistent kernel-level access and complete device control.

From Browser to Full Compromise

The attack executes in seconds. JavaScriptCore vulnerabilities achieve code execution within Safari’s sandbox. The ANGLE flaw escapes the sandbox into user space. The dyld vulnerability defeats PAC hardware protections. Two kernel vulnerabilities escalate to ring 0 access. With kernel-level control, attackers can install persistent implants, exfiltrate data, activate microphones and cameras, and intercept encrypted communications.

The victim sees nothing unusual — perhaps a brief page load delay.

Advertisement

Three Threat Groups, Four Countries

Google’s Threat Intelligence documented PARS Defense, the Turkish commercial surveillance vendor, using DarkSword since at least November 2025 in campaigns targeting users in Turkey and Malaysia. PARS applied sophisticated OPSEC including ECDH and AES encryption between server and victim. The payload delivered was GHOSTSABER, a JavaScript backdoor capable of device enumeration, file listing, data exfiltration, and arbitrary code execution.

Google identified three distinct malware families deployed after DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER — each associated with different threat actors. Campaigns have been observed targeting Saudi Arabia, Turkey, Malaysia, and Ukraine.

The eventual leak of proof-of-concept code to GitHub accelerated proliferation, potentially exposing the technique to less sophisticated attackers. What was exclusive to surveillance vendors is becoming available to cybercriminals.

Apple’s Emergency Response

Apple’s response unfolded in stages. iOS 26 users received patches through the regular iOS 26.3 update cycle. For the hundreds of millions of devices running iOS 18, Apple first released iOS 18.7.7 on March 24 to a limited set of older devices (iPhone XS, XR, 7th-gen iPad), then expanded availability to all supported devices on April 1, 2026.

The multi-week patching timeline highlights a structural challenge: device version diversity and slow OS upgrade adoption create a long tail of vulnerable devices. DarkSword specifically targets iOS 18.4 through 18.7, versions running on the majority of active iPhones worldwide.

The PAC Bypass Changes the Calculus

The most technically significant element is the PAC bypass (CVE-2026-20700). Apple introduced Pointer Authentication Codes with the A12 chip as hardware-level defense against code reuse attacks. PAC signs return addresses and function pointers with cryptographic codes, theoretically preventing attackers from redirecting execution even after achieving memory corruption.

DarkSword’s bypass demonstrates that hardware mitigations, while raising the bar significantly, are not impregnable. This has implications beyond Apple: Intel’s CET, ARM’s MTE, and other hardware security features follow the same paradigm. DarkSword shows these defenses add cost and complexity for attackers but do not eliminate the threat.

Lessons for Enterprise Security

Patch velocity is critical. The window between active exploitation and comprehensive patching spanned months. Organizations enforcing rapid OS updates significantly reduce exposure.

MDM must enforce OS versions. Mobile Device Management solutions that allow indefinite update deferral create persistent vulnerability. Enterprise policies should mandate current or current-minus-one OS versions.

Web browsing is an attack surface. DarkSword’s delivery through compromised legitimate websites bypasses phishing-focused defenses. Mobile threat defense solutions that detect exploit kit activity at the network or device level should be evaluated.

Assume breach for high-value targets. Organizations whose personnel may be targeted by commercial surveillance vendors should implement device rotation, compartmentalized communications, and regular forensic inspections.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn
Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Advertisement

Frequently Asked Questions

What is DarkSword and how does it compromise iPhones?

DarkSword is a full-chain iOS exploit kit that combines six vulnerabilities in WebKit, Safari’s dynamic loader (dyld), and the iOS kernel to achieve complete device compromise from a single website visit. It targets iOS 18.4 through 18.7, requires no user interaction beyond loading a webpage, and can install persistent surveillance implants within seconds.

Which threat groups are using DarkSword?

Google’s Threat Intelligence identified at least three groups: PARS Defense (Turkish commercial surveillance vendor) targeting Turkey and Malaysia, UNC6748, and suspected Russian espionage group UNC6353. Proof-of-concept code has leaked to GitHub, broadening availability beyond state-level actors. Campaigns have targeted Saudi Arabia, Turkey, Malaysia, and Ukraine.

Has Apple patched DarkSword and what should users do?

Yes. Apple patched iOS 26 users through iOS 26.3 and expanded fixes to iOS 18.7.7 on April 1, 2026, covering devices from iPhone XR through iPhone 16. All iPhone users should update immediately. Organizations should enforce automatic updates through MDM and verify that no managed devices remain on iOS 18.4-18.7 without the patch.

Sources & Further Reading